Login user who has "Manage portfolio " privilege can inject arbitrary web script or HTML via editor, XSS vulnerability will be triggered by visiting /portfolio/${project_title}.
POC
Title field also vulnerable to XSS,
The text was updated successfully, but these errors were encountered:
Portfolio Version 1.2.0
PHP Version: 7
Login user who has "Manage portfolio " privilege can inject arbitrary web script or HTML via editor, XSS vulnerability will be triggered by visiting /portfolio/${project_title}.
POC


Title field also vulnerable to XSS,
The text was updated successfully, but these errors were encountered: